Referrer-Policy HTTP Header

Avatar
Jordan Anderson-Phillips
  • Updated
Follow

This article explains what the Referrer-Policy HTTP header does, the meaning of each policy option, and how to configure it in the Back Office.

❓ What Is the Referrer-Policy Header?

The Referrer-Policy HTTP header controls how much referrer information (the URL of the page a user came from) is sent by the browser when navigating between pages or making requests.

This setting impacts privacy and security by limiting which parts of the referrer URL (such as paths or query strings) are shared with other pages or external domains.

Referrer policies are commonly used to:

  • Protect user privacy

  • Prevent sensitive URL data from being exposed

  • Control analytics and tracking behaviour

Default behaviour:
If the Referrer-Policy option is set to “None” in the Back Office, the site will use the browser’s default behaviour, which is strict-origin-when-cross-origin.

⚙️ Where to Edit Referrer-Policy in the Back Office

To configure the Referrer-Policy for your site:

  1. Go to Settings.

  2. Select Site Settings.

  3. Open Security Settings.

  4. Locate Referrer Policy Header.

  5. Select one of the available policy options.

  6. Select Save to apply the policy.

📋 Referrer-Policy Options Explained

Below is an overview of each available option and what it does.

🔒 no-referrer

  • No referrer information is sent at all

  • No URL, origin, or source data is shared

Use case: Maximum privacy

🔁 no-referrer-when-downgrade

  • Full URL sent for HTTPS → HTTPS

  • No referrer sent for HTTPS → HTTP

Notes:

  • Legacy default in many older browsers

  • More permissive than modern defaults

🏠 same-origin

  • Full referrer sent only for same-origin requests

  • No referrer sent for cross-origin requests

Use case: Internal tracking only

🌐 origin

  • Only the origin (scheme + domain + port) is sent

  • Applies to both same-origin and cross-origin requests

Example:
From https://example.com/page1 → referrer becomes https://example.com

🔐 strict-origin

  • Sends origin for HTTPS → HTTPS

  • Sends no referrer for downgraded requests (HTTPS → HTTP)

Use case: Stronger security with limited referrer data

⚖️ origin-when-cross-origin

  • Full URL sent for same-origin requests

  • Only origin sent for cross-origin requests

Use case: Balanced privacy and usability

✅ strict-origin-when-cross-origin

  • Full URL sent for same-origin requests

  • Only origin sent for cross-origin HTTPS requests

  • No referrer sent for HTTPS → HTTP

Notes:

  • Modern default in most browsers

  • Used by default when the Referrer-Policy setting is set to “None”

  • Recommended for most sites

⚠️ unsafe-url

  • Full referrer URL always sent

  • Includes path and query parameters

Warning:
This is the least secure option and may expose sensitive information.
Not recommended.

🧠 Tips for Choosing a Policy

  • High privacy:
    no-referrer or strict-origin-when-cross-origin

  • Legacy / broad compatibility:
    no-referrer-when-downgrade

  • Balanced privacy:
    same-origin or origin-when-cross-origin

  • Full tracking:
    unsafe-url (not recommended)

✅ After Selecting a Policy

Once a Referrer-Policy option is selected and saved in Security Settings:

  • The policy is applied site-wide

  • Browsers will immediately follow the new referrer rules

  • Referrer data sent with requests will follow the selected policy

Was this article helpful?
1 out of 1 found this helpful
Return to top

Comments

0 comments

Please sign in to leave a comment.